© 2013 – PROPRIETARY AND CONFIDENTIAL INFORMATION OF CVIDYA
Hacking PBXs for International Revenue Share Fraud
Tal Eisner CFCA Winter Educational event Seattle, WA
October 2013
2
The PBX Hacking challenge – questions to be asked, answers to be given Case study from A European operator
– What happened? – How was it detected? – Action items and measures taken
Lessons learned
Content
PBX Hacking
4
PBX Hacking
Global annual damages of over $ 4B
Reported incidents have increased dramatically since the introduction and penetration of IP-based PBXs
Mode of operation has became sophisticated & professional
IP-based PBX security layers are relatively thin and vulnerable
Consequences of hacking are extensive and its financial implications must be addressed
5
Frequently Asked Questions
Who’s liable for the calls
How is a PBX being accessed What protective
measures can be taken against such
hacking
What kind of preventive
measurements can be taken
What is the incentive to commit PBX hacking
How does such hacking take place
6
Case Study
Tier 2 operator in Europe detects an organized, sophisticated hacking scheme
7
Case Study
FMS started alerting on high volumes of calls within short time periods to Hot listed risky ranges
Primary investigation concluded the following:
– Calls had long duration
– All destinations were PRS/IRSF
– Abnormal accumulated volumes in overlapping time frames (e.g., total of 5 hours in 45 minute- time frame)
– All CDRs had CFW indicators, and optional numbers were present
8
FraudView Alerts on Abnormal Traffic
9
Mode of Operation
Calls come in over IP and port scanning takes place
Hackers seek an “open port” to use as an international gateway
In order to check whether the gate is “open” – hackers use test numbers to make sure the line has international access
Known test numbers circulate as hot lists in the hacker community
Once an open gate is established and verified, an immediate surge of calls follows
Calls are forwarded from the PBX extension to PRS numbers
ALL calls are transferred to PRS destinations
10
Forwarding All Calls to PRS Destinations
11
Online Publications of Test Numbers
12
Gathering Intelligence on Test Numbers
13
Detection Process
Controls on :
– Calls forwarded to international destinations
– Calls by optional numbers to known risky/PRS ranges
– Aggregation of calls to international calls (mainly PRS)
– Accumulation of calls within a short time frame (e.g., 5 Hours in 1 hour)
– Detection of series of calls with similar duration (indication of automatic dialer)
14
Observations
Modus Operandi:
Manipulation of a number/originating number for disguise
Relating attempt to forward calls straight after option is blocked
Significant volumes of calls - such acts are not designed for “small change”
Dominant motivation for hacking is inflation of PRS traffic
Hacking CFW
”Attack”
15
Detecting via Optional Number (CFW)
16
Scanning via Test Numbers for Open Ports
17
From Reaction to Prevention
Core of the attack lies in CFW to international traffic
Action taken:
– Process of CFW INTL deletion on provisioning level
– Request for cancelation of feature for existing and new customers
– Response for exceptions
Hacker tries any means to disguise his/her identity, carrier, destinations and optional number – Quick analysis and response are therefore key!
ALL calls to known test numbers are being monitored and analyzed
Restriction of accumulated traffic simultaneously over PBX
18
CFW Provisioning by Hacker
19
Lessons Learned
Maximum visibility of customer details is must
Old methods of simply calling to PBX extensions are gone…
Controls must be updated constantly
– Thresholds to be tuned
– Destinations to be changed
SS7 info provides flexible switching info that might be key
Real-time alerting via email/SMS can prevent large-scale financial impacts
Cross-company cooperation is essential for profound investigations and deeper understanding of phenomena
THANK YOU! www.cvidya.com